Advisories for Cargo/Git2 package

If the Buf struct is dereferenced immediately after calling new() or default() on the Buf struct, a null pointer is passed to the unsafe function slice::from_raw_parts. According to the safety section documentation of the function, data must be non-null and aligned even for zero-length slices or slices of ZSTs. Thus, passing a null pointer will lead to undefined behavior.

The git2 and libgit2-sys crates are Rust wrappers around the libgit2 C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks. The libgit2 team assigned CVE-2023-22742 to this vulnerability. The following versions of the libgit2-sys Rust crate have been released: libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1. …